Skip to content

✨ Add support for AMD SEV-SNP instances #5605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Add support for AMD SEV-SNP instances #5605

wants to merge 1 commit into from
+320 −0

Conversation

fangge1212
Copy link

@fangge1212 fangge1212 commented Aug 1, 2025
edited
Loading

This is another version of #5598
Differences:

  • This pr doesn't validate the instance type for AmdSevSnp
  • This pr uses enum type ConfidentialCompute with value AmdSevSnp,Disabled(and TDX in the future) to represent the confidential computing technology.

What type of PR is this?
/kind feature

What this PR does / why we need it:

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • includes emoji in title
  • adds unit tests
  • adds or updates e2e tests

Release note:

Add support for AMD SEV-SNP instances

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Aug 1, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign fabriziopandini for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 1, 2025
@k8s-ci-robot k8s-ci-robot requested a review from fiunchinho August 1, 2025 03:46
@k8s-ci-robot k8s-ci-robot added needs-priority needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 1, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @fangge1212. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 1, 2025
@fangge1212 fangge1212 mentioned this pull request Aug 1, 2025
Closed
5 tasks
@fangge1212 fangge1212 force-pushed the amd_sev_snp_1 branch 3 times, most recently from 934e570 to 3a228e8 Compare August 6, 2025 22:35
damdo
damdo reviewed Aug 8, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the PR @fangge1212

I left a comment about a pattern to follow for the API types

api/v1beta2/awsmachine_types.go Outdated
Comment on lines 76 to 103
// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance.
// +kubebuilder:validation:Enum=Disabled;AmdSevSnp
type AWSConfidentialComputePolicy string

const (
// AWSConfidentialComputePolicyNone disables confidential computing for the instance.
AWSConfidentialComputePolicyNone AWSConfidentialComputePolicy = "None"
// AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance.
AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AmdSevSnp"
)

// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
// +kubebuilder:validation:MinProperties=1
type CPUOptions struct {
// confidentialCompute specifies whether confidential computing should be enabled for the instance,
// and, if so, which confidential computing technology to use.
// Valid values are: None, AmdSev
// When set to None, confidential computing will be disabled for the instance.
// When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
// In this case, ensure the following conditions are met:
// 1) The selected instance type supports AMD SEV-SNP.
// 2) The selected AWS region supports AMD SEV-SNP.
// 3) The selected AMI supports AMD SEV-SNP.
// More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
// +optional
ConfidentialCompute AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's follow this pattern for types and constant names, which contains best practices in terms of API design: https://github.com/openshift/api/pull/2165/files#diff-9bd66f01f63b7ce0455fe993aa03dfe93964ac62b31278a6dbf3db2fcb7f792eR58-R168

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Damiano
I did refer to the PR you mentioned when working on this one. I went with AWSConfidentialComputePolicyNone based on @everettraven’s advice in this discussion: openshift/api#2424 (comment). Could you please point out the exact changes you’d like so I can make sure it fully follows the API design best practices you’re referring to?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see. I left a comment there, let's then use the same approach we decide on there, also here, thanks @fangge1212

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 11, 2025
@fangge1212 fangge1212 force-pushed the amd_sev_snp_1 branch 2 times, most recently from 083ec14 to ae22824 Compare August 12, 2025 10:44
@fangge1212
Add support for AMD SEV-SNP instances
80bf0a3 
This commit adds support for AMD SEV-SNP instances, so users can
utilize confidential computing technology on cluster nodes.

Signed-off-by: Fangge Jin <[email protected]>
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damdo damdo damdo left review comments

@dlipovetsky dlipovetsky Awaiting requested review from dlipovetsky

@fiunchinho fiunchinho Awaiting requested review from fiunchinho

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fangge1212 @k8s-ci-robot @damdo